Data breaches happen under even the strictest governance plan and policies. In fact, data breaches happen more often than you might expect. According to Positive Technologies, there were 765 million people impacted in just April, May, and June of 2018.

When faced with a data breach, every minute counts. This isn’t the time to talk about the “would of, could of, should of.” This is also not the time to point fingers. Like a slow leak in a water pipe, now is the time to find and stop the leak, remediate open vulnerabilities, and put measures in place to make sure a Personally Identifiable Information (PII) spill or data breach doesn’t happen again. In this article, we discuss how to quickly control a PII spill and some of the things you can do to restrain a data breach.

Figure 1. A PII spill is just like a leaky pipe.

What is PII

PII stands for Personal Identifiable Information. It was first used by NIST in 1979. NIST describes PII as “Any information about an individual maintained by an agency, including:

(1) Any information that can be used to distinguish or trace someone’s identity, such as name, social security number, date, place of birth, mother‘s maiden name, or biometric records; and

(2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

In this day and age, where every app on your phone holds some kind of PII about you, data breaches have become common news. Just last month on September 29, 2019, Door Dash announced it had a data breach that impacted 4.9 million users. This data included users’ drivers’ license numbers, full names, addresses, and phone numbers. Door Dash sent an email out to its customers that stated, “Out of an abundance of caution, we are encouraging all of those affected to reset their passwords to one that is unique to DoorDash.”

FEMA also experienced a PII leak and data breach during hurricanes Harvey, Irma, and Maria, as well as during the 2017 California wildfires. FEMA’s response to the PII leak was considered weak and untimely by the OIG (Office of Internal General). The OIG found that FEMA/DHS “did not test all system contingency plans, develop procedures for handling sensitive information, or identify alternate facilities to recover processing in the event of service disruptions.”

What Can a Hacker Do With PII?

A hacker doesn’t need a social security number and date of birth to cause harm to your employees and customers. Just having the target’s first and last name, email address, physical address, phone number, and last four digits of a credit card is enough to do damage. The verification process used by most companies involves a couple of pieces of the person’s information when completing a change to service, sending a paycheck to another address, or setting up a service like Door Dash.

Figure 2. Experian Verification.

Ways to Control A PII Spill and Data Breach

The worst thing you can do after discovering a data breach is nothing at all. The more proactive you are, the quicker you can get ahead of the leak. On September 7, 2017, Equifax announced that 145.5 million records had been breached. It was later discovered that Equifax knew about the data breach months before. To avoid a scenario like this, here are eleven tips to help you take action:

1. Don’t panic. When your company is dealing with a data breach, you want to make decisions that are strategic and put you closer to determining the breach source.

2. Prioritize finding the source of the leak. The “source” can be a system or a person. In either case, you’ll need to work with your security and IT department to follow the trail. Having an enterprise risk management system like Compliance Guardian can be a great asset when narrowing down your PII spill and data breach.

3. Contact your vendors. The November 15, 2013 Target data breach was one of the largest data breaches in years. One reason it was so hard for Target to gain control of the PII spill and data leak was because they were unsure where the breach was coming from. They later learned that their HVAC vendor was the source of the data breach. The Target data leak involved 40 million credit card numbers and cost Target a total of $202.

4. Deploy a risk management system. AvePoint’s Compliance Guardian can be critical in helping you solve your PII spill and data breach. It’ll tell you exactly where the data breach is coming from and how it’s spread throughout the organization. Compliance Guardian can also spot enterprise risk quickly and allow you to create reports that save you time and money. If your organization works with PCI, FTI, GDPR and/or HIPAA, having a risk management system is essential.

5. Assemble a “war room” to deal with investigations, compliance and regulation issues, and internal and external communication. The best thing you can do is to assemble your senior management along with your security team to come up with a plan of recovering the source of the data breach.

6. Communicate often! Companies don’t like negative publicity, but by not communicating you can make the data breach even more costly and a publicity nightmare.

7. Involve legal and insurance partners early. After a large data breach, you’ll need assistance from your legal team to assist with your response and legal ramifications. Your insurance company should also be advised of the PII spill and data breach to start putting a cost on the data breach impact.

8. Have one source of truth spokesperson. Because we live in the days of social media and real-time communication, it’s not uncommon for several people representing your company to be tweeting or providing updates to the media about the data breach. Avoid this! Designate a single person to act as the mouthpiece of your organization.

9. Review archived reporting. Reviewing your risk management reports for the last few months can provide clues to where the PII spill and data breach may have come from. You want to start with your Corrective and Preventive Action (CAPA) reports. CAPA report along with lifecycle workflows is available in AvePoint’s Compliance Guardian.

10. Make reports easy to understand. What good is a report if it can’t be consumed? Make sure the reports are easy to digest by C-level management and provide enough data for your security team to respond to.

11. Monitor corporate accounts and alerts. Sometimes the aftershock is worse than the earthquake. While focusing on the cleanup of your PII spill and data breach, continue reviewing your risk management system for irregular activity.

Closing

As an organization, you want to take as many proactive precautions against data breaches as possible. These eleven steps should help you prepare for the worst and know what to do if it happens. Do you have any other tips you think readers should know about? Drop them in the comments below!